volatility
Volatility is tool that can be used to perform memory forensics.
Installation -
sudo apt install volatility
or
git clone https://github.com/volatilityfoundation/volatility
cd volatility
python vol.py
Step.1 Finding Profile of Memory Dump File
volatility -f Path_To_file imageinfo
Basic Command -
volatility -f Path_To_file --profile=Profile_Name Plugin_Name
Step.2 Using Plugins
1.To list all processes - pslist
ex - volatility -f Path_To_file --profile=Win7SP1x64 pslist
2.To see Hidden Processe - psxview
2.To see Hidden Processe - psxview
ex - volatility -f Path_To_file --profile=Win7SP1x64 psview
3.To list executed Commands - cmdscan
3.To list executed Commands - cmdscan
ex - volatility -f Path_To_file --profile=Win7SP1x64 cmdscan
4.To see the output of executed Commands- consoles
4.To see the output of executed Commands- consoles
ex - volatility -f Path_To_file --profile=Win7SP1x64 consoles
5.To see clipboard content - clipboard
5.To see clipboard content - clipboard
ex - volatility -f Path_To_file --profile=Win7SP1x64 clipboard
6.To see Enviorment Variables - envars
6.To see Enviorment Variables - envars
ex - volatility -f Path_To_file --profile=Win7SP1x64 envars
7.Scan Files - filescan
7.Scan Files - filescan
(Hint- grep folders like Documents/Downloads/Desktop and try grepping words like .kdbx,.rar,.zip,png,bmp,jpg/jpeg,important,Pass/Password)
ex - volatility -f Path_To_file --profile=Win7SP1x64 filescan | grep Documents
8.Dumping Files - dumpfiles -Q Hex location -D Destination
ex - volatility -f Path_To_file --profile=Win7SP1x64 -Q 0x0000000017663e7 -D .
9.Dumping Memory of a particular processes - memdump
memdump -P (pid) -D (Destination path)
ex - volatility -f Path_To_file --profile=Win7SP1x64 memdump -P 231 -D .
10.To see processes commands - cmdline
cmdline -P (pids of ps)
ex - volatility -f Path_To_file --profile=Win7SP1x64 -P 123,234
11.To see deleted files or files modified and creation Date - mftparser
ex - volatility -f Path_To_file --profile=Win7SP1x64 mftparser
12. To see last Shutdown Time - shutdowntime
ex - volatility -f Path_To_file --profile=Win7SP1x64 shutdowntime
13. To Dump Screenshots - screenshot -D (path)
ex - volatility -f Path_To_file --profile=Win7SP1x64 screenshot -D .
14. Grepping Interesting Things -
strings Challenge.raw | grep "Mega"
strings Challenge.raw | grep "Pastebin"
strings Challenge.raw | grep "Passwords"
strings Challenge.raw | grep "Flag{"
External Plugins
To use install extra plugins like chrome history and Firefox history just clone github repo https://github.com/superponible/volatility-plugins
Practice
For practicing memory forensic there is a very good GitHub repo having 6 challenges from basics to advance to practice memory forensics challenges.
https://github.com/stuxnet999/MemLabs
For Windows
if we are using windows we can also use Auto-spy software to perform memory forensics